IMAP via PHP: /ssl and /tls choose different TLS version

Question

I'm using z-push-contrib to get emails from an IMAP server (run by me as well).

If I use the imap_open option /ssl and connect to port 993, TLS 1.2 is being used.

If I use /tls and connect to port 143 using STARTTLS, TLS 1.0 and a different cipher is being used.

SMTP behaves the same (STARTTLS only uses TLS 1.0)

If I use openssl from the command line, TLS 1.2 is being used:

It doesn't matter if I connect to port 993 or to 143 with STARTTLS, I always get a TLS 1.2 connection using the same strong, modern cipher.

Is this a bug in PHP's Openssl implementation?

Answer 1

No, it's defined at the PHP documentation :

• /tls : force use of start-TLS to encrypt the session, and reject connection to servers that do not support it
• /ssl : use the Secure Socket Layer to encrypt the session

The difference is very subtle. Basically StatTLS connects to an unencrypted port/connection and then asks for encryption, while TLS/SSL sessions are encrypted before any text is transmitted (see STARTTLS ). They usually use different ports, but it's common for mail servers to support both on both ports (so they support a broader range of clients).

Cipher and TLS version choice is based on client-server negotiation, but STARTTLS could be understood as a less-capable client or server, then the parameters for decision differ.

AFAIK, there's no limitation on the usage of TLS1.1 and TLS1.2 when connecting through STARTTLS, but they do connect differently than TLS/SSL.

In doubt, use TLS/SSL, since it's more secure :)

---

Update

PHP IMAP extension makes use of c-Client library for IMAP protocol-specific functions. This library is somewhat outdated (2007) — and probably handles STARTTLS commands differently than calling openssl — that's why the difference in encryption/ciphers used.